Received a random package you did not order? You may be a victim of the “Brushing” program – here's how it works
Ray Simmons was confused when an Amazon packaging filled with beet chewed landed at his doorstep.
“I do think one of my family is kidding and they told me I need to be healthier,” Simmons shared with WSB-TV Atlanta.
Don't miss it
But the package is not a joke. Simmons would learn, and he wouldn't be the target of a scam called “brushing.” The program reportedly aims to leverage consumer data and manipulate online product reviews (USPIS report).
While this may seem harmless, USPIS has issued a warning to Americans across the country: If you receive a package you did not order, please do not scan any of the included QR codes.
What is a scam?
The brushing scam involves third-party sellers on e-commerce platforms who send unsolicited low-value items to random people whose names and addresses are found online.
Once shipped, the scammers will issue fake five-star comments online using the recipient's name or a fake profile similar to the recipient. The purpose is to make the seller's products appear popular and highly rated to gain more visibility and sales.
“They ordered nothing, they received anything, usually household items, a low value item,” said U.S. Postal Inspector David Gealey. “They have your personal information, which is easy to get because they can only search for a name and address online. It's online, right?”
Although a toothbrush scam may not directly result in financial losses, it indicates that your personal information (such as your name and address) is being used without your knowledge. This personal information may be spread in unsecured databases or among bad actors online.
All of these are the reasons for attracting attention, but the danger of the scam can become even worse if the target is not cautious.
Read more: You may have paid too much for this 1 “must” fee – your monthly bill may be raised due to Trump's tariffs. Here's how to protect your wallet now in 2 minutes
The real threat: QR code
The postal inspector said that when these packages include QR codes, the real danger comes up, which urged the recipient to scan for more information or confirm delivery. These codes can cause malicious websites to steal personal data, install malware or phish for sensitive information.
“We do care about customers: don't scan any QR codes on the packaging, because sometimes QR codes can lead to malicious websites,” Gealey warned.
Fortunately, Simmons' package does not contain QR codes. However, he still took some necessary steps to protect himself and make sure his Amazon and bank accounts have not been compromised yet.
What to do if you receive a parcel that you haven't ordered
Receiving an unexpected package may indicate that your personal information is being abused. This is recommended by USPIS.
Do not scan the QR code: As we discussed above, scanning QR codes from unreliable sources can cause a lot of trouble, which can lead to personal data or harmful malware installed on the device.
Do not return to the project: You have no legal obligation to return unsolicited items. It is safe to simply keep or discard the package, but do not follow any of the instructions included.
Check your financial account: Check out your online banking and credit card statements now, along with your online shopping profile and Amazon account activity to make sure your account has not been hacked yet.
Report Package: Notify you of your local police department, USPIS and/or the Federal Trade Commission regarding unsolicited programs. Reporting packages can help authorities conduct investigations and potentially prevent others from becoming victims.
What to read next
This article provides information only and should not be construed as advice. It is without any warranty of any kind.
